AWSConfigRemediation-EnableLoggingForALBAndCLB - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-EnableLoggingForALBAndCLB runbook enables logging for the specified Amazon Application Load Balancer or a Classic Load Balancer (CLB).

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • LoadBalancerId

    Type: String

    Description: (Required) The Classic Load Balancer name or the Application Load Balancer ARN.

  • S3BucketName

    Type: String

    Description: (Required) The Amazon S3 bucket name.

  • S3BucketPrefix

    Type: String

    Description: (Optional) The logical hierarchy you created for your Amazon Simple Storage Service (Amazon S3) bucket, for example my-bucket-prefix/prod . If the prefix is not provided, the log is placed at the root level of the bucket.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • elasticloadbalancing:DescribeLoadBalancerAttributes

  • elasticloadbalancing:ModifyLoadBalancerAttributes

Document Steps

  • aws:executeScript - Enables and verifies the logging for the Classic Load Balancer or the Application Load Balancer.